Network address translation

Our note on IP addresses, we described end-to-end network addressing, in which each host has a unique IP address. This is what the designers of the Internet intended, and it enables any host to reach any other.

Unfortunately, end-to-end addressing also makes it easier for hackers to discover and infiltrate hosts, and it uses up available IP addresses quickly. For these reasons, we often place a firewall between a LAN and the Internet, and use a technique called network address translation (NAT) to hide the true addresses of LAN hosts. You may hear such networks referred to as walled gardens.

Take the CSUDH campus network as an example. csudh.edu has been assigned a block of IP addresses ranging from 155.135.0.0 through 155.135.255.255.

In the past, each host on campus was assigned its own IP address from within that range. Each host was directly reachable on the Internet.

Today, to combat hackers who were infiltrating the campus network, and running their own programs on some of our computers, we use NAT with non-routable IP addresses within the campus LAN.

The Internet Assigned Numbers Authority (IANA) has set aside blocks of non-routable addresses for use within LANs:

10.0.0.0 through 10.255.255.255
169.254.0.1 through 169.254.255.254
192.168.0.0 through 192.168.255.255

If you see an IP address in one of those ranges, you know it is for internal use within a LAN.

At CSUDH, the on-campus IP address are in the 10.xx.xx.xx block. These 10.xx.xx.xx addresses are not visible from off campus. The translation between our internal address and the visible addresses in the 155.135.xx.xx range is done using a table stored in the firewall.

Hosts that are running servers which need to be visible outside the firewall are assigned an address in the 155.135.xx.xx block as well as an internal address in the 10.xx.xx.xx block. The firewall keeps a table of their corresponding internal addresses and makes the appropriate substitutions.

The rest of the hosts on the campus share a single external IP address: 155.135.55.200, and the firewall keeps track of which internal host and process an outgoing packet came from and which an incoming packet should go to.

Finally, note that we use the domain name system inside the firewall as well as outside. This table shows selected DNS entries on our non-routed campus LAN.

Disclaimer: The views and opinions expressed on unofficial pages of California State University, Dominguez Hills faculty, staff or students are strictly those of the page authors. The content of these pages has not been reviewed or approved by California State University, Dominguez Hills.